Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 19:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afa12aab342eaf22812d241c3d7a8a10N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
afa12aab342eaf22812d241c3d7a8a10N.exe
-
Size
248KB
-
MD5
afa12aab342eaf22812d241c3d7a8a10
-
SHA1
5632f71574ad7487411fe48563f61c4ead050a07
-
SHA256
db6ab0c2fe9acb16fcf217a96619129862e559e0ed5efddeae60506d72683e67
-
SHA512
f5b8fd9aac80b5c6d039284bc26f1a50fe36b542295962649504dc4d9fadd5da65cb4da9c9c2566ca33cddac5453f19a879ffd2989dc674e73337ddeb656dfbf
-
SSDEEP
6144:n3C9BRo/AIX27NHWpU00VIxas1oa3YiFRle:n3C9uD6AUDCa4NYmRQ
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
resource yara_rule behavioral2/memory/3392-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3392-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3920-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3764-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1524-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/812-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2840-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1196-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3736-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4368-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4788-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4384-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1300-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5104-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4320-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1976-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1856-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3900-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2620-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3428-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/976-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3776-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2840-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/556-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3136-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5080-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3288-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3920 bhthbt.exe 3764 5tbthh.exe 1524 jjjvp.exe 3288 hbnhtt.exe 5080 jdpjd.exe 812 rflfrrr.exe 2264 rlrlxxl.exe 3136 tnnhbn.exe 556 5jppp.exe 2840 5jpjd.exe 840 thnhbn.exe 1196 7nbthb.exe 3736 rfxrrxr.exe 3776 3ffxrrl.exe 4368 nnhhhh.exe 1300 nhnhbb.exe 4788 jvdvp.exe 4384 rlrlrrx.exe 976 flrrfxf.exe 3428 llxrrlr.exe 2620 tbbbhh.exe 532 5jpjj.exe 3884 ffffffl.exe 5104 5bbbbb.exe 4732 bttnhh.exe 2636 7jjdv.exe 804 xllfxrr.exe 3900 bhhhbh.exe 1856 dvvdd.exe 1976 jdpjj.exe 4320 5lrrrrr.exe 2420 hbhhhh.exe 4584 5hnhnn.exe 2700 vjddp.exe 2596 vjjdv.exe 1524 9flxxxx.exe 2544 llffffl.exe 952 nhbnhb.exe 5080 thbtnn.exe 3084 dvvvv.exe 2952 pddpp.exe 4484 9ffxrxr.exe 5000 fxllrrr.exe 1576 bbbbbb.exe 3108 hbnnnn.exe 224 jdddp.exe 4968 ddvvv.exe 4084 ffffxff.exe 3372 lfxxrxx.exe 4372 btbbbb.exe 216 9hnthh.exe 1256 bthbbh.exe 4108 3vvpp.exe 3604 dddvv.exe 2880 5fllffx.exe 4500 ffxrllf.exe 4576 7nnbtt.exe 60 bnhnhh.exe 1376 ppjdv.exe 228 pvddv.exe 4632 rlxxxxl.exe 1064 fxfxrrr.exe 3932 5btttt.exe 4508 1hhhbh.exe -
resource yara_rule behavioral2/memory/3392-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3392-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3920-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3764-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1524-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1524-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1524-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/812-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1196-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3736-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4368-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4788-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4384-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1300-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5104-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4320-212-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1976-206-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1856-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2620-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3428-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/976-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3776-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/556-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/556-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3136-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/812-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5080-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3288-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3288-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3288-35-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3392 wrote to memory of 3920 3392 afa12aab342eaf22812d241c3d7a8a10N.exe 83 PID 3392 wrote to memory of 3920 3392 afa12aab342eaf22812d241c3d7a8a10N.exe 83 PID 3392 wrote to memory of 3920 3392 afa12aab342eaf22812d241c3d7a8a10N.exe 83 PID 3920 wrote to memory of 3764 3920 bhthbt.exe 84 PID 3920 wrote to memory of 3764 3920 bhthbt.exe 84 PID 3920 wrote to memory of 3764 3920 bhthbt.exe 84 PID 3764 wrote to memory of 1524 3764 5tbthh.exe 121 PID 3764 wrote to memory of 1524 3764 5tbthh.exe 121 PID 3764 wrote to memory of 1524 3764 5tbthh.exe 121 PID 1524 wrote to memory of 3288 1524 jjjvp.exe 86 PID 1524 wrote to memory of 3288 1524 jjjvp.exe 86 PID 1524 wrote to memory of 3288 1524 jjjvp.exe 86 PID 3288 wrote to memory of 5080 3288 hbnhtt.exe 124 PID 3288 wrote to memory of 5080 3288 hbnhtt.exe 124 PID 3288 wrote to memory of 5080 3288 hbnhtt.exe 124 PID 5080 wrote to memory of 812 5080 jdpjd.exe 88 PID 5080 wrote to memory of 812 5080 jdpjd.exe 88 PID 5080 wrote to memory of 812 5080 jdpjd.exe 88 PID 812 wrote to memory of 2264 812 rflfrrr.exe 90 PID 812 wrote to memory of 2264 812 rflfrrr.exe 90 PID 812 wrote to memory of 2264 812 rflfrrr.exe 90 PID 2264 wrote to memory of 3136 2264 rlrlxxl.exe 91 PID 2264 wrote to memory of 3136 2264 rlrlxxl.exe 91 PID 2264 wrote to memory of 3136 2264 rlrlxxl.exe 91 PID 3136 wrote to memory of 556 3136 tnnhbn.exe 92 PID 3136 wrote to memory of 556 3136 tnnhbn.exe 92 PID 3136 wrote to memory of 556 3136 tnnhbn.exe 92 PID 556 wrote to memory of 2840 556 5jppp.exe 94 PID 556 wrote to memory of 2840 556 5jppp.exe 94 PID 556 wrote to memory of 2840 556 5jppp.exe 94 PID 2840 wrote to memory of 840 2840 5jpjd.exe 95 PID 2840 wrote to memory of 840 2840 5jpjd.exe 95 PID 2840 wrote to memory of 840 2840 5jpjd.exe 95 PID 840 wrote to memory of 1196 840 thnhbn.exe 97 PID 840 wrote to memory of 1196 840 thnhbn.exe 97 PID 840 wrote to memory of 1196 840 thnhbn.exe 97 PID 1196 wrote to memory of 3736 1196 7nbthb.exe 98 PID 1196 wrote to memory of 3736 1196 7nbthb.exe 98 PID 1196 wrote to memory of 3736 1196 7nbthb.exe 98 PID 3736 wrote to memory of 3776 3736 rfxrrxr.exe 99 PID 3736 wrote to memory of 3776 3736 rfxrrxr.exe 99 PID 3736 wrote to memory of 3776 3736 rfxrrxr.exe 99 PID 3776 wrote to memory of 4368 3776 3ffxrrl.exe 100 PID 3776 wrote to memory of 4368 3776 3ffxrrl.exe 100 PID 3776 wrote to memory of 4368 3776 3ffxrrl.exe 100 PID 4368 wrote to memory of 1300 4368 nnhhhh.exe 101 PID 4368 wrote to memory of 1300 4368 nnhhhh.exe 101 PID 4368 wrote to memory of 1300 4368 nnhhhh.exe 101 PID 1300 wrote to memory of 4788 1300 nhnhbb.exe 102 PID 1300 wrote to memory of 4788 1300 nhnhbb.exe 102 PID 1300 wrote to memory of 4788 1300 nhnhbb.exe 102 PID 4788 wrote to memory of 4384 4788 jvdvp.exe 103 PID 4788 wrote to memory of 4384 4788 jvdvp.exe 103 PID 4788 wrote to memory of 4384 4788 jvdvp.exe 103 PID 4384 wrote to memory of 976 4384 rlrlrrx.exe 104 PID 4384 wrote to memory of 976 4384 rlrlrrx.exe 104 PID 4384 wrote to memory of 976 4384 rlrlrrx.exe 104 PID 976 wrote to memory of 3428 976 flrrfxf.exe 105 PID 976 wrote to memory of 3428 976 flrrfxf.exe 105 PID 976 wrote to memory of 3428 976 flrrfxf.exe 105 PID 3428 wrote to memory of 2620 3428 llxrrlr.exe 106 PID 3428 wrote to memory of 2620 3428 llxrrlr.exe 106 PID 3428 wrote to memory of 2620 3428 llxrrlr.exe 106 PID 2620 wrote to memory of 532 2620 tbbbhh.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa12aab342eaf22812d241c3d7a8a10N.exe"C:\Users\Admin\AppData\Local\Temp\afa12aab342eaf22812d241c3d7a8a10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\bhthbt.exec:\bhthbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\5tbthh.exec:\5tbthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\jjjvp.exec:\jjjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\hbnhtt.exec:\hbnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\jdpjd.exec:\jdpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\rflfrrr.exec:\rflfrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\rlrlxxl.exec:\rlrlxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\tnnhbn.exec:\tnnhbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\5jppp.exec:\5jppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\5jpjd.exec:\5jpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\thnhbn.exec:\thnhbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\7nbthb.exec:\7nbthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\rfxrrxr.exec:\rfxrrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\nnhhhh.exec:\nnhhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\nhnhbb.exec:\nhnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\jvdvp.exec:\jvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\flrrfxf.exec:\flrrfxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\llxrrlr.exec:\llxrrlr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\tbbbhh.exec:\tbbbhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\5jpjj.exec:\5jpjj.exe23⤵
- Executes dropped EXE
PID:532 -
\??\c:\ffffffl.exec:\ffffffl.exe24⤵
- Executes dropped EXE
PID:3884 -
\??\c:\5bbbbb.exec:\5bbbbb.exe25⤵
- Executes dropped EXE
PID:5104 -
\??\c:\bttnhh.exec:\bttnhh.exe26⤵
- Executes dropped EXE
PID:4732 -
\??\c:\7jjdv.exec:\7jjdv.exe27⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xllfxrr.exec:\xllfxrr.exe28⤵
- Executes dropped EXE
PID:804 -
\??\c:\bhhhbh.exec:\bhhhbh.exe29⤵
- Executes dropped EXE
PID:3900 -
\??\c:\dvvdd.exec:\dvvdd.exe30⤵
- Executes dropped EXE
PID:1856 -
\??\c:\jdpjj.exec:\jdpjj.exe31⤵
- Executes dropped EXE
PID:1976 -
\??\c:\5lrrrrr.exec:\5lrrrrr.exe32⤵
- Executes dropped EXE
PID:4320 -
\??\c:\hbhhhh.exec:\hbhhhh.exe33⤵
- Executes dropped EXE
PID:2420 -
\??\c:\5hnhnn.exec:\5hnhnn.exe34⤵
- Executes dropped EXE
PID:4584 -
\??\c:\vjddp.exec:\vjddp.exe35⤵
- Executes dropped EXE
PID:2700 -
\??\c:\vjjdv.exec:\vjjdv.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
\??\c:\9flxxxx.exec:\9flxxxx.exe37⤵
- Executes dropped EXE
PID:1524 -
\??\c:\llffffl.exec:\llffffl.exe38⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhbnhb.exec:\nhbnhb.exe39⤵
- Executes dropped EXE
PID:952 -
\??\c:\thbtnn.exec:\thbtnn.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
\??\c:\dvvvv.exec:\dvvvv.exe41⤵
- Executes dropped EXE
PID:3084 -
\??\c:\pddpp.exec:\pddpp.exe42⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9ffxrxr.exec:\9ffxrxr.exe43⤵
- Executes dropped EXE
PID:4484 -
\??\c:\fxllrrr.exec:\fxllrrr.exe44⤵
- Executes dropped EXE
PID:5000 -
\??\c:\bbbbbb.exec:\bbbbbb.exe45⤵
- Executes dropped EXE
PID:1576 -
\??\c:\hbnnnn.exec:\hbnnnn.exe46⤵
- Executes dropped EXE
PID:3108 -
\??\c:\jdddp.exec:\jdddp.exe47⤵
- Executes dropped EXE
PID:224 -
\??\c:\ddvvv.exec:\ddvvv.exe48⤵
- Executes dropped EXE
PID:4968 -
\??\c:\ffffxff.exec:\ffffxff.exe49⤵
- Executes dropped EXE
PID:4084 -
\??\c:\lfxxrxx.exec:\lfxxrxx.exe50⤵
- Executes dropped EXE
PID:3372 -
\??\c:\btbbbb.exec:\btbbbb.exe51⤵
- Executes dropped EXE
PID:4372 -
\??\c:\9hnthh.exec:\9hnthh.exe52⤵
- Executes dropped EXE
PID:216 -
\??\c:\bthbbh.exec:\bthbbh.exe53⤵
- Executes dropped EXE
PID:1256 -
\??\c:\3vvpp.exec:\3vvpp.exe54⤵
- Executes dropped EXE
PID:4108 -
\??\c:\dddvv.exec:\dddvv.exe55⤵
- Executes dropped EXE
PID:3604 -
\??\c:\5fllffx.exec:\5fllffx.exe56⤵
- Executes dropped EXE
PID:2880 -
\??\c:\ffxrllf.exec:\ffxrllf.exe57⤵
- Executes dropped EXE
PID:4500 -
\??\c:\7nnbtt.exec:\7nnbtt.exe58⤵
- Executes dropped EXE
PID:4576 -
\??\c:\bnhnhh.exec:\bnhnhh.exe59⤵
- Executes dropped EXE
PID:60 -
\??\c:\ppjdv.exec:\ppjdv.exe60⤵
- Executes dropped EXE
PID:1376 -
\??\c:\pvddv.exec:\pvddv.exe61⤵
- Executes dropped EXE
PID:228 -
\??\c:\rlxxxxl.exec:\rlxxxxl.exe62⤵
- Executes dropped EXE
PID:4632 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe63⤵
- Executes dropped EXE
PID:1064 -
\??\c:\5btttt.exec:\5btttt.exe64⤵
- Executes dropped EXE
PID:3932 -
\??\c:\1hhhbh.exec:\1hhhbh.exe65⤵
- Executes dropped EXE
PID:4508 -
\??\c:\httttt.exec:\httttt.exe66⤵PID:2632
-
\??\c:\dvppd.exec:\dvppd.exe67⤵PID:1952
-
\??\c:\vppjj.exec:\vppjj.exe68⤵PID:2132
-
\??\c:\7frrllr.exec:\7frrllr.exe69⤵PID:392
-
\??\c:\thnnhb.exec:\thnnhb.exe70⤵PID:716
-
\??\c:\djpvv.exec:\djpvv.exe71⤵PID:4640
-
\??\c:\pjpjd.exec:\pjpjd.exe72⤵PID:4120
-
\??\c:\xxxrxrf.exec:\xxxrxrf.exe73⤵PID:4328
-
\??\c:\bhnnhh.exec:\bhnnhh.exe74⤵PID:4336
-
\??\c:\jdjdv.exec:\jdjdv.exe75⤵PID:3056
-
\??\c:\pvjdv.exec:\pvjdv.exe76⤵PID:1428
-
\??\c:\xffxrrr.exec:\xffxrrr.exe77⤵PID:4080
-
\??\c:\bthhnh.exec:\bthhnh.exe78⤵PID:4232
-
\??\c:\dvvpp.exec:\dvvpp.exe79⤵PID:2476
-
\??\c:\rrrlffx.exec:\rrrlffx.exe80⤵PID:3980
-
\??\c:\bttnbb.exec:\bttnbb.exe81⤵PID:5084
-
\??\c:\pjpjp.exec:\pjpjp.exe82⤵PID:1900
-
\??\c:\rrlllrl.exec:\rrlllrl.exe83⤵PID:4048
-
\??\c:\jddvp.exec:\jddvp.exe84⤵PID:2948
-
\??\c:\xflfxrr.exec:\xflfxrr.exe85⤵PID:3084
-
\??\c:\httttn.exec:\httttn.exe86⤵PID:1996
-
\??\c:\dppjd.exec:\dppjd.exe87⤵PID:3412
-
\??\c:\fffffxx.exec:\fffffxx.exe88⤵PID:4512
-
\??\c:\tnnnhh.exec:\tnnnhh.exe89⤵PID:1660
-
\??\c:\pvddv.exec:\pvddv.exe90⤵PID:5048
-
\??\c:\llxrllr.exec:\llxrllr.exe91⤵PID:2932
-
\??\c:\3rrlrrr.exec:\3rrlrrr.exe92⤵PID:840
-
\??\c:\bnnnnn.exec:\bnnnnn.exe93⤵PID:2340
-
\??\c:\3jppv.exec:\3jppv.exe94⤵PID:4556
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe95⤵PID:548
-
\??\c:\djvvv.exec:\djvvv.exe96⤵PID:3472
-
\??\c:\rrrrrfx.exec:\rrrrrfx.exe97⤵PID:4068
-
\??\c:\tnhbbn.exec:\tnhbbn.exe98⤵PID:220
-
\??\c:\7vpjj.exec:\7vpjj.exe99⤵PID:4240
-
\??\c:\rrxfxxr.exec:\rrxfxxr.exe100⤵PID:4324
-
\??\c:\1tbtnt.exec:\1tbtnt.exe101⤵PID:3516
-
\??\c:\jjdpd.exec:\jjdpd.exe102⤵PID:3308
-
\??\c:\7rrlfff.exec:\7rrlfff.exe103⤵PID:5076
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe104⤵PID:2852
-
\??\c:\7ddvj.exec:\7ddvj.exe105⤵PID:1872
-
\??\c:\bbbnhn.exec:\bbbnhn.exe106⤵PID:2344
-
\??\c:\pjpjd.exec:\pjpjd.exe107⤵PID:3328
-
\??\c:\3djpj.exec:\3djpj.exe108⤵PID:1432
-
\??\c:\7lrlflf.exec:\7lrlflf.exe109⤵PID:4852
-
\??\c:\bthhbb.exec:\bthhbb.exe110⤵PID:4796
-
\??\c:\5xxxlll.exec:\5xxxlll.exe111⤵PID:3772
-
\??\c:\9bhbbb.exec:\9bhbbb.exe112⤵PID:2124
-
\??\c:\1ddpj.exec:\1ddpj.exe113⤵PID:2132
-
\??\c:\jpddd.exec:\jpddd.exe114⤵PID:392
-
\??\c:\bbthth.exec:\bbthth.exe115⤵PID:716
-
\??\c:\vjpjp.exec:\vjpjp.exe116⤵PID:4640
-
\??\c:\9lrrllf.exec:\9lrrllf.exe117⤵PID:4864
-
\??\c:\ddppv.exec:\ddppv.exe118⤵PID:4844
-
\??\c:\vvvvd.exec:\vvvvd.exe119⤵PID:3920
-
\??\c:\lfllffx.exec:\lfllffx.exe120⤵PID:3056
-
\??\c:\flrfxxr.exec:\flrfxxr.exe121⤵PID:1428
-
\??\c:\htnhbb.exec:\htnhbb.exe122⤵PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-